Circular and leakage resilient public-key encryption under subgroup indistinguishability (or: Quadratic residuosity strikes back)

Circular and leakage resilient public-key

encryption under subgroup indistinguishability

(or: Quadratic residuosity strikes back)

The MIT Faculty has made this article openly available.

Please share

how this access benefits you. Your story matters.

Citation

Brakerski, Zvika, and Shafi Goldwasser. “Circular and

Leakage Resilient Public-Key Encryption Under Subgroup

Indistinguishability.” Advances in Cryptology – CRYPTO 2010. Ed.

Tal Rabin. LNCS Vol. 6223. Berlin, Heidelberg: Springer Berlin

Heidelberg, 2010. 1–20.

As Published

http://dx.doi.org/10.1007/978-3-642-14623-7_1

Publisher

Springer Berlin / Heidelberg

Version

Author's final manuscript

Citable link

http://hdl.handle.net/1721.1/73957

Terms of Use

Creative Commons Attribution-Noncommercial-Share Alike 3.0

Circular and Leakage Resilient Public-Key Encryption

Under Subgroup Indistinguishability

(or: Quadratic Residuosity Strikes Back)

Zvika Brakerski∗ _{Shafi Goldwasser}†

May 25, 2010

Abstract

The main results of this work are new public-key encryption schemes that, under the quadratic residuosity (QR) assumption (or Paillier’s decisional composite residuosity (DCR) assumption), achieve key-dependent message security as well as high resilience to secret key leakage and high resilience to the presence of auxiliary input information.

In particular, under what we call the subgroup indistinguishability assumption, of which the QR and DCR are special cases, we can construct a scheme that has:

• Key-dependent message (circular) security. Achieves security even when encrypting

affine functions of its own secret key (in fact, w.r.t. affine “key-cycles” of predefined length). Our scheme also meets the requirements for extending key-dependent message security to broader classes of functions beyond affine functions using previous techniques of [BGK, ePrint09] or [BHHI, Eurocrypt10].

• Leakage resiliency. Remains secure even if any adversarial low-entropy (efficiently

com-putable) function of the secret key is given to the adversary. A proper selection of param-eters allows for a “leakage rate” of (1 − o(1)) of the length of the secret key.

• Auxiliary-input security. Remains secure even if any sufficiently hard to invert

(effi-ciently computable) function of the secret key is given to the adversary.

Our scheme is the first to achieve key-dependent security and auxiliary-input security based on the DCR and QR assumptions. Previous schemes that achieved these properties relied either on the DDH or LWE assumptions. The proposed scheme is also the first to achieve leakage resiliency for leakage rate (1 − o(1)) of the secret key length, under the QR assumption. We note that leakage resilient schemes under the DCR and the QR assumptions, for the restricted case of composite modulus product of safe primes, were implied by the work of [NS, Crypto09], using hash proof systems. However, under the QR assumption, known constructions of hash proof systems only yield a leakage rate of o(1) of the secret key length.

∗_{Weizmann Institute of Science, zvika.brakerski@weizmann.ac.il.}

1

Introduction

The “classical” definition of semantic secure public-key encryption by Goldwasser and Micali [GM84], requires that an efficient attacker with access to the public encryption-key must not be able to find two messages such that it can distinguish a random encryption of one from a random encryption of the other. Numerous candidate public-key encryption schemes that meet this definition have been presented over the years, both under specific hardness assumptions (like the hardness of factoring) and under general assumptions (such as the existence of injective one-way trapdoor functions).

This notion of security, however (as well as other commonly accepted ones), does not capture certain situations that may occur in the “real world”:

• Functions of the secret decryption-key can be encrypted and sent (note that semantic security

only guarantees security with respect to messages which an efficient attacker can find).

• Information about the secret key may leak.

• The same secret key may be used in more than one application, or more generally the attacker

can somehow obtain the value of a hard-to-invert function of the secret key.

In recent years, extensive research effort has been invested in providing encryption schemes which are provably secure even in the above settings. Such schemes are said to achieve key-dependent

message (KDM) security, leakage-resilience, and auxiliary-input security in correspondence to the

above real world settings. To date, we know of: (1) Candidate schemes which are KDM secure under the decisional Diffie-Hellman (DDH) and under the learning with errors (LWE) assumptions; (2) Candidate schemes that are resilient to key leakage of rate (1 − o(1)) (relative to the length of the secret key), under the LWE assumption and under the DDH assumption. In addition, candidate scheme achieving some leakage resilience under a general assumption: the existence of universal hash-proof systems, with a leakage rate depending on the hash proof system being used; (3) Candidate schemes that are auxiliary input secure under the DDH assumption and under the LWE assumption.

In this work, we present an encryption scheme that achieves all of the above security notions simultaneously and is based on a class of assumptions that we call subgroup indistinguishability

assumptions. Specifically, this class includes the quadratic residuosity (QR) and the decisional

composite residuosity (DCR) assumptions, both of which are related to the problem of factoring large numbers. In addition, our schemes have the following interesting property: the secret key consists of a randomly chosen binary vector independent of the group at hand. The instantiation of our scheme under QR enjoys the same useful properties for protocol design as the original [GM84] scheme, including re-randomization of ciphertexts and support of the XOR homomorphic operation over the {0, 1} message space, with the added benefit of leakage resilience.

To best describe our results, we first, in Section 1.1, describe in detail the background for the new work, including the relevant security notions and previous results. Second, in Section 1.2, we describe in detail the new results and encryption schemes. Then, in Section 1.3, we describe the new techniques. Section 1.4 discusses some additional related works and Section 1.5 contains the paper organization.

1.1 Background

Key-dependent messages. The shortcoming of the standard security definition in the case where the plaintext to be encrypted depends on the secret key was already noticed in [GM84]. It was later observed that this situation is not so unlikely and may sometimes even be desirable [CL01, ABHS05, LC03]. Black, Rogoway and Shrimpton [BRS02] formally defined KDM-security: the attacker can obtain encryptions of (efficient) functions of its choosing, taken from some specified class of functions F, applied to the secret key. The requirement is that the attacker cannot tell if all of its queries are answered by encryptions of some constant symbol 0, instead of the requested values. This definition is extended to the case of many (say n) users that can encrypt each others’ secret keys: the attacker queries now contain a function to be applied to all secret keys, and an identity of the user whose public key should be used to encrypt. This latter case is referred to as KDM(n)-security while the single-user case is called KDM(1)-security.

Boneh, Halevi, Hamburg and Ostrovsky [BHHO08] constructed a public key encryption scheme that is KDM(n) _{secure w.r.t. all affine functions,}1 _{under the decisional Diffie-Hellman (DDH)}

as-sumption, for any polynomial n. This first result was followed by the work of Applebaum, Cash, Peikert and Sahai [ACPS09] who proved that a variation of Regev’s scheme [Reg05] is also KDM secure w.r.t. all affine functions, under the learning with errors (LWE) assumption.

More recent works by Brakerski, Goldwasser and Kalai [BGK09] and by Barak, Haitner, Hofheinz and Ishai [BHHI09] presented each general and different techniques to extend KDM-security to richer classes of functions. In [BGK09], the notion of entropy-κ KDM-KDM-security is in-troduced. A scheme is entropy-κ KDM-secure if it remains KDM-secure even if the secret key is sampled from a high-entropy distribution, rather than a uniform one. They show that an

entropy-κ KDM-secure scheme implies a scheme that is KDM-secure w.r.t. roughly any pre-defined set of

functions of polynomial cardinality. In [BHHI09], the notion of targeted public-key encryption is introduced. A targeted encryption scheme can be thought of as a combination of oblivious transfer and encryption: it is possible to encrypt in such a way that the ciphertext is decryptable only if a certain bit of the secret key takes a predefined value. They show that a targeted encryption scheme implies a KDM-secure scheme w.r.t. all functions computable by circuits of some predefined (poly-nomial) size. These two results achieve incomparable performance. While in the former, the public key and ciphertext lengths depend on the size of the function class (but not on its complexity) and are independent of the number of users n, in the latter the public key size does not depend on the function class, but the ciphertext length is linear in the product of n times the complexity of the functions.

Leakage resiliency. The work on cold boot attacks by Halderman et al. [HSH+_{08], gave rise to the}

notion of public-key encryption resilient to (bounded) memory leakage attacks, presented by Akavia, Goldwasser and Vaikuntanathan [AGV09] and further explored by Naor and Segev [NS09]. In their definition, security holds even if the attacker gets some information of its choosing (depending on the value of the public key) on the scheme’s secret key, so long as the total amount of information leaked does not exceed an a-priori information theoretic bound. More formally, the attacker can request and receive f (sk) for a length-restricted function f .2 _{[AGV09, NS09] presented public-key}

encryption schemes that are resilient to leakage of even a 1 − o(1) fraction of the secret key (we

1_{More precisely “affine in the exponent”: the secret key is a vector of group elements g1, . . . , g}

`and the scheme is

secure w.r.t. functions of the form h ·Qgai i .

2_{To be more precise, the requirement is that the min-entropy of the secret sk drops by at most a bounded amount,}

call this the “leakage rate”). In particular, [AGV09] showed how this can be achieved under the LWE assumption, while [NS09] showed that this can be achieved under the DDH (or d-linear) assumption. It is further shown in [NS09] that some leakage resilience can be achieved using any universal hash proof system (defined in [CS02]), where the leakage rate depends on the parameters of the hash proof system. This implies secure schemes under the the QR and DCR assumptions as well. However, using the known hash proof systems, the leakage rate achievable under the QR assumption was only o(1) — much less than the desired 1 − o(1). Based on the DCR assumption, a leakage rate of (1 − o(1)) was achievable [NS09, CS02, DJ01].

Auxiliary input. Dodis, Kalai and Lovett [DKL09] and Dodis, Goldwasser, Kalai, Peikert and

Vaikuntanathan [DGK+_{10] considered the case where the leakage is not restricted information}

theoretically, but rather computationally. In the public key setting, the attacker is allowed to access any information on the secret key, with the following computational restriction: as long as recovering the secret key sk from said information f (pk, sk), for f of the attackers choosing, is computationally hard to a sufficient extent (see discussion of several formalizations in [DGK+_10]).

This notion of security was termed security in the presence of auxiliary input (or auxiliary-input

security, for short). Public-key auxiliary-input secure encryption schemes under the DDH and LWE

assumptions were recently presented in [DGK+_10].

1.2 New Results

Let us define a generalized class of assumptions called subgroup indistinguishability (SG) assump-tions. A subgroup indistinguishability problem is defined by a group GU (“the universe group”)

which is a direct product of two groups GU = GM×GL(interpreted as “the group of messages” and

“the language group”) whose orders, denoted by M, L respectively, are relatively prime and where GM is a cyclic group. Essentially, the subgroup indistinguishability assumption is that a random

element of the universe GU is computationally indistinguishable from a random element in GL. In

other words, the language G_L is hard on average in the universe G_U. The precise definition is a little more involved, see Section 3 for details.

Two special cases of the subgroup indistinguishability assumptions are the quadratic residu-osity (QR) assumption on Blum integers and Paillier’s decisional composite residuresidu-osity (DCR) assumption. This is easily seen for QR as follows. Let integer N = p · q, where p, q are random primes of equal bit-length, Z∗

N = {x ∈ ZN : gcd(x, N ) = 1}, JN denote the group of Jacobi symbol

(+1) elements of Z∗

N, and QRN = {x2 : x ∈ Z∗N} denote its subgroup of quadratic residues. The

quadratic residuosity (QR) assumption is then, that the uniform distributions over JN and QRN

are computationally indistinguishable. Taking N to be a Blum integer where p, q = 3 (mod 4) (otherwise the orders of G_L, G_M we define next will not be relatively prime) and setting G_U = J_N,

GL = QRN (which is of odd order), and GM = {±1} (which is cyclic and has order 2), the QR

assumption falls immediately into the criteria of subgroup indistinguishability assumptions.

We are now ready to describe the new encryption scheme for a given subgroup problem (G_U, G_M, G_L) where h is a generator for GM. In general, we view the plaintext message space as the elements

hm _{∈ G}

M (sometimes the exponent m itself can be viewed as the message). For the case of QR,

the plaintext message space is GM = {±1}.

A word on the choice of parameters is in order. All parameters are measured as a function of the security parameter k. As customary, in the QR and DCR cases, think of the security parameter as the size of the modulus N (i.e. k = dlog N e). We let ` denote a parameter whose value is

polynomially related to k,3 selected in accordance to the desired properties of the scheme (KDM security, amount of leakage resilience etc.).

The Encryption Scheme for Subgroup Problem (GU, GM, GL) with Parameter `:

• Key generation. Set the secret key to a random binary vector s = (s1, . . . , s`) of length `. Set

the public key to be the tuple (g1, . . . , g`, g0) where g1, . . . , g` are uniformly chosen elements

of G_L and g₀ = Qg−si

i . (For the QR assumption, the public key thus consists of ` random

squares, followed by a product of a random subset of them, selected by the secret key s).

• Encryption. On input message hm,4 sample a uniform integer r from a large enough domain and output the ciphertext (gr

1, . . . , gr`, hm· gr0). (For the QR assumption case, encryption is

of single bits {±1}, and the ciphertext is the tuple of squares in the public key, raised to a random power, where the last one is multiplied by the plaintext message.)

• Decryption. On ciphertext (c₁, . . . , c_`, c₀), compute hm _{= c}

0 ·

Q

csi

i . (For the case of QR,

m = c0 ·

Q

csi

i .) In general, recoverability of the exponent m depends on whether taking

discrete logs in base h of hm _{is easy.}

We remark that the basic structure of our construction is strikingly similar to [BHHO08], where the public key also contains ` independent “random” elements and an additional element that is statistically close to uniform, but in fact is a combination of the previous ones. The difference and challenge is in how to prove security. This challenge is due to the fact that the subgroup indis-tinguishability assumptions seem inherently different from the DDH assumption. In the latter, for cyclic group G where DDH is assumed, the assumption implies that the distribution (g₁, g₂, gr

1, g2r) is

computationally indistinguishable from (g1, g2, g10, g02) giving complete re-randomization (a similar

property follows for LWE). Such re-randomization does not follow nor is it necessarily true from subgroup indistinguishability. Rather, we will have to use the weaker guarantee that (g₁, g₂, gr

1, g2r)

is indistinguishable from (g1, g2, hr

0

· g₁r, hr00· g₂r), giving only “masking” of the message bits. Similarly to the scheme of [BHHO08], our scheme is lacking in efficiency. This is most noticeable in our QR-based scheme, where the encryption of one bit requires a ciphertext containing ` + 1 group elements, each of size roughly the security parameter k. The situation is somewhat better when relying on DCR: there each such ciphertext encrypts Ω(k) bits. Improved efficiency can be achieved by using the same values g1, . . . , g` with many vectors s, however this makes KDM

security hold only with respect to a less natural function class (this is similar to the more efficient LWE based scheme of [ACPS09]) and significantly reduces leakage resiliency. Coming up with more efficient KDM secure or leakage resilient schemes remains an interesting open problem.

We prove the following properties for the new encryption scheme. Property 1: KDM-Security

First, we prove that the scheme is KDM(1)-secure w.r.t. affine functions of the secret key. To show this for QR case, we show that for any affine function specified by a0, . . . , a`, the encryption

of (−1)a0+Piaisi is indistinguishable from the encryption of (−1)0. For the general case, it is

more natural to view KDM(1) with respect to the affine functions “in the exponent”: for any

3_{More precisely, ` is a polynomial function `(k).} 4_{Recall that h is a generator of G}

h0, h1, . . . , h` ∈ GM where hi = hai, for the generator h, we show that an encryption of h0·

Q

hsi

i =

ha0+Piaisi _{is indistinguishable from an encryption of h}0_.

Second, we prove that for any polynomial value of n, the above encryption scheme satisfies KDM(n) _{security, if ` is larger than, roughly, n log L. We note thus that the public key size and}

ciphertext size grow with n to achieve provable KDM(n) security. Interestingly, in the works of [BHHO08, ACPS09], ` did not need to grow with n. This seems difficult to achieve without the complete “re-randomization” property discussed above which does follow from the DDH and LWE assumptions, but not from ours.

Finally, we can also show that our scheme can be used to obtain KDM security for larger classes of functions than affine function: The scheme is entropy-κ KDM-secure (for proper values of `), as required in [BGK09] and therefore implies a scheme that is secure w.r.t. functions of the form a0+

P

iaifi(sk) for (roughly) any set of polynomially-many efficiently computable functions

{f₁, . . . , f_`}. Our scheme also implies a targeted encryption scheme, as required in [BHHI09], and

therefore implies that for any polynomial bound p, there is a scheme that is secure w.r.t. all functions computable by size-p circuits.

Property 2: Improved Key-Leakage Resiliency

We prove that the new scheme is resilient to any leakage of a (1 − o(1)) fraction of the bits of the secret key. Stated differently, if one specifies in advance the amount of leakage λ (a polynomial in the security parameter) to be tolerated, we can choose ` to obtain a scheme that is secure against a leakage of λ bits. The growth of ` is additive in λ (i.e. ` = `0+ λ) and therefore we can select

the value of ` to obtain schemes that are resilient to leakage of a (1 − (`₀/`)) = (1 − o(1)) fraction

of the secret key.

We emphasize that while schemes with the above guarantees were known under LWE [AGV09] or DDH [NS09], and even (implicitly) under DCR [NS09, CS02], this was not the case under QR. Previous results with regards to QR-based leakage resiliency [NS09, CS02] could only approach a leakage rate of 1/k = o(1) (recall that k is the security parameter, or the bit-length of the modulus

N ), compared to (1 − o(1)) in our scheme.

In addition, previous constructions of QR and DCR based hash proof systems required that the modulus used N = p · q is such that p, q are safe primes. We do not impose this restriction. In the QR case we only require that p, q = 3 (mod 4) (i.e. N is a Blum integer) and in the DCR case we only require that p, q have the same bit-length.

Property 3: Auxiliary Input Security

We prove that our schemes remain secure when the attacker has access to additional information on the secret key sk, in the form of f_pk(sk), where f_pk is a polynomial time function (which may depend on the public key) that is evaluated on the secret key sk. First, we consider the case where

f is such that the transition (fpk(sk), pk) → sk is computationally hard. Namely, that retrieving

the secret key sk given the public key pk and the auxiliary information f_pk(sk), is sufficiently hard. This notion was termed weak auxiliary-input security in [DGK+_{10]. In turn, [DGK}+_{10] show how}

to leverage weak auxiliary-input security to achieve security when the requirement on f is weaker: now, only the transition fpk(sk) → sk needs to be hard. The latter is called auxiliary-input security.

We conclude that for all δ > 0, we can select the value of ` such that the scheme is auxiliary-input secure relative to any function that is hard to invert (in polynomial time) with probability

2−`δ. We note that the input to the function is the secret key – a length ` binary string, and therefore we measure hardness as a function of ` (and not of the security parameter k).

1.3 Our Techniques

The circular security, leakage resiliency and auxiliary-input security properties of our scheme are proved using a new technical tool introduced in this work: the interactive vector game. This proof technique can also provide an alternative proof for the KDM(1)_{-security, leakage resiliency and}

auxiliary-input security of (known) public-key encryption schemes based on DDH and LWE, thus providing an alternative, more generic proof for some of the results of [BHHO08, ACPS09, NS09, DGK+_10].5

This suggests an alternative explanation to the folklore belief that the three notions are related: that it is the proof technique that is related in fact. Namely, the proof techniques for each property can be generalized to interactive vector games which, in turn, imply the other properties.

We proceed to overview the proofs of security for the various properties of our scheme. Again, let us consider the groups GU = GM× GLwith h being a generator for GM, such that the subgroup

indistinguishability assumption holds.

To best explain the ideas of the proof, let us consider, as a first step, a simple semantically secure encryption scheme (which is a generalization of the Goldwasser-Micali scheme [GM82]). An encryption of 0 is a random element g ∈ GL and an encryption of 1 is h · g (in the QR case, the

encryption of (+1) is a random quadratic residue and the encryption of (−1) is a random quadratic non-residue). The two distributions are clearly indistinguishable (consider the indistinguishable experiment where g is uniform in GU). In order to decrypt, one needs some “trapdoor information”

that would enable to distinguish between elements in G_L and G_U (such as the factorization of the modulus N in the QR (and DCR) case).

The first modification of this simple idea was to fix g and put it in the public key, and set the ciphertext for hm _{to h}m_{· g}r _{for r large enough. Note that the sender does not know the order of}

GU: Indeed, in the QR case, knowing the order of the group JN, which is ϕ(N )₂ , enables to factor

N . For the QR case, this modification still amounts to encrypting (+1) by a random square, and

(−1) by a random non-square.

The second modification does away with the need of the secret key owner to distinguish between

elements in GL and GU (e.g. with the need to know the factorization of N in the QR case),

by replacing the “trapdoor information” with a secret key that is a uniform binary vector s = (s1, . . . , s`). Holding the secret key will not enable us to solve subgroup indistinguishability, but

will enable us to decrypt as in [BHHO08]. We take a set of random elements g1, . . . , g` ∈ GL and

define g0 =

Q

g−si

i . If ` is large enough, then the leftover hash lemma implies that g0 is almost

uniform. As the ciphertext is (gr₁, . . . , g_`r, hm· gr₀), one can recover hm using s. Recovering m itself is also possible if the discrete logarithm problem in GM is easy, as is the case in the QR scenario.

The crux of the idea in proving security is as following. First, we note that the distribution of g0 is close to uniform in GL, even given g1, . . . , g` (by the leftover hash lemma). Recall that

in a DDH-based proof, we could claim that ((g1, . . . , g`, g0), (gr1, . . . , g`r, gr0)) is computationally

indistinguishable from ((g1, . . . , g`, g0), (g10, . . . , g`0, g00)) (where gi0 are uniform). However, based on

subgroup indistinguishability, a different method is required: Consider replacing g0 with g00 =

5_{In this work, the interactive vector game is defined only for our subgroup indistinguishability assumptions, but}

h · g0, the distribution ((g1, . . . , g`, g0), (g1r, . . . , gr`, g0r)) is computationally indistinguishable from

((g1, . . . , g`, h · g0), (g1r, . . . , gr`, hr· g0r)) under the subgroup indistinguishability assumption. The

crucial observation now is that since the orders of GM and GL are relatively prime, then in fact

g0r

0 = hr

0

· gr

0, where r0 is independent of r. Combined with the fact that GM is cyclic, we get that

((g1, . . . , g`, g0), (gr1, . . . , g`r, gr0)) is indistinguishable from ((g1, . . . , g`, h · g0), (gr1. . . g`r, h0· g0r)), for a

random h0 _{∈ G}

M. Semantic security now follows.

To address the issues of circular security, leakage resiliency and auxiliary-input, we generalize the idea presented above, and prove that the distribution ((g1, . . . , g`), (ha1 · g1r, . . . , ha` · gr`)) is

indistinguishable from ((g1, . . . , g`), (gr1, . . . , g`r)). We provide an interactive variant of this claim,

which we call an interactive `-vector game, where the values of a<sub>1</sub>, . . . , a<sub>`</sub> ∈ Z are selected by the

distinguisher and can depend on (g1, . . . , g`), and show that the above is hard even in such case.

The interactive vector game will be employed in the proofs of all properties of the scheme. For key-dependent message security, we consider the ciphertext (gr

0, g1r, . . . , h · gir, . . . , gr`). This

ciphertext will be decrypted to hsi _{and in fact can be shown (using an interactive vector game)} to be computationally indistinguishable from a legal encryption of hsi_{. Key-dependent message} security follows from this fact.

Proving KDM(n)-security for our scheme is more complex. To illustrate this, we contrast it with the ideas in the proof of [BHHO08]. They used homomorphism and re-randomization to achieve KDM(n)_{-security: Their scheme is shown to have homomorphic properties that enable to “shift”}

public keys and ciphertexts that are relative to a certain secret key, into ones that are relative to another secret key. In order to apply these “shifts”, one only needs to know the relation between the original and final keys (and not the keys themselves). In addition, their scheme is shown to have re-randomization properties that enable to take a public key (or ciphertext) and produce an independent public key (or ciphertext) that corresponds to the same secret key (and message, in the ciphertext case). These two properties enable simulating the KDM(n)_{-security game using}

only one “real” secret key, fabricating the n required keys and ciphertexts using homomorphism and re-randomization. In [ACPS09], similar ideas are employed, but the re-randomization can be viewed as implicit in the assumption (the ability to generate independently looking vectors that are in fact linearly related).

Our scheme can be shown to have such homomorphic properties, but it doesn’t enjoy as strong re-randomizability as required to use the above techniques. As an example, consider a public key

pk = (g0, g1, . . . , g`) corresponding to a secret key sk = (s1, . . . , s`), i.e. g0 =

Q

g−si

i . Let j ∈ [`] and

consider ˆpk = (ˆg0, ˆg1, . . . , ˆg`) defined as follows: for all i 6∈ {j, 0}, set ˆgi = gi; for j, set ˆgj = g−1j ;

and finally set ˆg0= gj·g0= ˆg−(1−sj j)·

Q

i6=jgˆi−si. We get that ˆpk is a properly distributed public key

corresponding to the secret key ˆsk = sk ⊕ ej (sk XORed with the jth unit binary string). Namely,

we were able to “shift” a public key to correspond to another (related) secret key, without knowing the original key. However, the joint distribution of pk, ˆpk is easily distinguishable from that of two

independent public keys. What we lack is the ability to re-randomize ˆpk so that it is distributed

as a public key for ˆsk which is independent of the original pk.

Intuitively, this shortcoming requires us to use more “real randomness”. Our proof simulates the KDM(n)-security game using only one “real” secret key, as in the idea presented above. This secret key is used to fabricate n secret and public keys. However, when we want to apply the leftover hash lemma to claim that the g₀ components of all n fabricated public keys are close to uniform, we need the one real secret key to have sufficient entropy. This requires a secret key whose size is linear in n. These ideas, combined with the ones used to prove KDM(1) security, give our

final proof.

The property of entropy-κ KDM-security requires that the scheme remains secure even when the secret key is sampled from a high-entropy (but not necessarily uniform) distribution. This is shown to hold using the leftover hash lemma, sinceQgsi

i is a 2-universal hash function. A targeted

encryption scheme is obtained similarly to the other constructions in [BHHI09], by using the fact that we can “fabricate” ciphertexts that correspond to affine functions of the secret key without knowing the secret key itself.

Leakage resiliency and auxiliary-input security are proven by an almost identical argument: consider a case where we replace the ciphertext (hm_{· g}r

0, g1r, . . . , gr`) with a computationally

indis-tinguishable one: (h−Pσisi· hm· gr

0, hσ1 · g1r, . . . , hσ`· g`r), where σi ∈ ZM are uniform.

Computa-tional indistinguishability (even for a known secret key) follows from the interactive vector game mentioned above. For leakage-resilience, the leftover hash lemma implies that so long as there is sufficient entropy in s after the leakage, Pσ_is_i will be close to uniform and will “mask” the value of m. For auxiliary input we use the generalized Goldreich-Levin theorem of [DGK+_{10] to show}

thatPσisi is close to uniform in the presence of a function of s that is hard to invert, even given

the public key. Thus obtaining weak auxiliary-input security. In the QR case, the inner product is over Z2 and therefore we can use the “standard” Goldreich-Levin theorem [GL89], which implies

better parameters. We use leveraging (as used in [DGK+_{10]) to obtain the full result.}

1.4 Other Related Work

Cramer and Shoup [CS02] presented the notion of hash proof systems, which are similar to subgroup indistinguishability assumptions. Their implementations from QR and DCR also do not require the factorization of N in order to decrypt. However they use the discrete logarithm of (their analog to) the gi’s as a secret key for the system. Our scheme can be seen as taking another step towards

“stripping” the secret key of all structure: in our scheme, it is just a uniform sequence of bits (resulting in a weaker form of a hash proof system that is “universal on average”).

Hemenway and Ostrovsky [HO09] show how to construct lossy trapdoor functions (see [PW08] for definition) from the QR and DCR assumptions (among other assumptions). Similar ideas can be used in a straightforward manner to construct lossy trapdoor functions from subgroup indistinguishability assumptions with special properties.

1.5 Paper Organization

Preliminaries and definitions are presented in Section 2. The definition of subgroup indistinguisha-bility assumptions and instantiations from QR and DCR appear in Section 3.

In the interest of clarity and to simplify our presentation, the body of the paper only discusses the construction based on the QR assumption. Some of the proofs are omitted from this part. The general case, for any subgroup indistinguishability assumption, is presented and analyzed in detail in the appendix.

Our QR-based encryption scheme is presented in Section 4, followed, in Section 5, by introduc-tion of the interactive vector game: a central technical tool to be used for the analysis throughout the paper. KDM-security is discussed in Section 6, leakage-resilience in Section 7 and auxiliary-input security in Section 8.

In Appendix A we present a variant of [DGK+10, Theorem 1], together with a proof, for the sake of completeness. Appendix B contains the general presentation of our construction from subgroup

indistinguishability assumptions, together with the full proofs.

2

Preliminaries

We denote scalars in plain lowercase (x ∈ {0, 1}) and vectors in bold lowercase (x ∈ {0, 1}n). The

ith _{coordinate of x is denoted x}

i. The vector inner product of x, y is denoted by hx, yi and is

defined to be Pxi· yi. The vector ei is the ith unit vector.

For any K ∈ N, we denote [K] = {1, . . . , K}. We let ZK denote the ring Z/KZ and let Z∗K

denote the group of units in ZK. Euler’s totient function is denoted by ϕ(·).

Arithmetic operations are always performed in Z but can sometimes also be interpreted as being performed over ZK, for some value K ∈ N. Specifically, if h is an element of order K in a

multiplicative group, then hx _{= h}(x mod K)_{, so operations “in the exponent of h” can be interpreted}

as operations over ZK. We usually write (mod K) to indicate that an operation is performed over

ZK, but we sometimes omit this when K is clear from the context.

For vectors g, h ∈ Gn_{, where G is a multiplicative commutative group, we denote by g}r _the

vector whose ith _{coordinate is g}r

i. We denote by h · g the vector whose ith coordinate is hi· gi. Note

that this does not denote an inner product. For a group element g ∈ G and a vector x ∈ Z, we let

gx _{denote the vector whose i}th _{coordinate is g}xi_.

Let X be a probability distribution over a domain S, we write x ← X to indicate that x is$

sampled from the distribution X. The uniform distribution over a set S is denoted U (S). We use

x ← S as abbreviation for x$ ← U (S). For any function f with domain S we let f (X) denote the$

random variable (or corresponding distribution) obtained by sampling x← X and outputting f (x).$

The min-entropy of a (discrete) random variable X is H∞(X) = minx∈S{− log Pr[X = x]}.

We write negl(k) to denote an arbitrary negligible function, i.e. one that vanishes faster than the inverse of any polynomial.

The statistical distance between two distributions X, Y (or random variables with those distribu-tions) over a common domain S is maxA⊆S|Pr[X ∈ A] − Pr[Y ∈ A]|. Two ensembles X = {Xk}k,

Y = {Yk}k are ² = ²(k)-close if for all k, the distance between Xk and Yk is at most ²(k) and are

statistically indistinguishable if ²(k) = negl(k). An ensemble X = {X_k}_k over domains S = {S_k}_k

is ² = ²(k)-uniform in S if it is ²-close to the uniform ensemble over S (we sometimes omit S when it is clear from the context). X = {Xk}k, Y = {Yk}kare computationally indistinguishable if every

poly(k)-time adversary A has negligible distinguishing advantage:

DistX,YAdv[A] = |Pr[A(Xk) = 1] − Pr[A(Yk) = 1]| = negl(k) .

We often abbreviate and write DistAdv[A] when X, Y are clear from the context.

2.1 KDM Security

A public-key encryption scheme E = (G, E, D) is defined by its key generation, encryption and decryption algorithms. The key generation algorithm G takes as input the unary vector 1k_{, where k}

is called the security parameter of the scheme. All other parameters of the scheme are parameterized by k. We let S = {S_k} denote the space of secret keys and M = {M_k} denote the message space of

the encryption scheme. We refer the reader to [Gol04] for a formal definition of encryption schemes and their security.

In the scenario of key-dependent messages, we wish to model the case where functions of the secret key can be encrypted, and require that the resulting ciphertexts are indistinguishable from encryptions of 0. We want our definition to apply also for the case of “key cycles” where a function of one user’s secret key is encrypted by another’s public key and vice versa. The most inclusive definition, therefore, is parameterized by the number of users n and allows encrypting a function of the entire vector of n secret keys under any of the corresponding public keys (this is sometimes referred to as “clique security”). An additional parameter to be considered is the set of functions of the secret key that we allow to encrypt. We use the definition presented in [BHHO08].

Formally, let E = (G, E, D) be a public key encryption scheme, n > 0 be an integer, S = {S_k}

be the space of secret keys, and let F = {F_k} be a class of functions such that F_k ⊆ Sn

k → Mk.

We define the KDM(n) _{game, w.r.t. the function class F, played between a challenger and an}

adversary as follows.

Initialize. The challenger selects b ← {0, 1} and generates, for all i ∈ [n], key pairs (sk$ i, pki) $

← G(1k_{). The challenger then sends {pk}

i}i∈[n]to the adversary.

Query. The adversary makes queries of the form (i, f ) ∈ [n] × Fk. For each query, the challenger

computes y ← f (sk1, . . . , skn) and sends the following ciphertext to the adversary.

c ←

½

Epki(y) if b = 0

Epki(0) if b = 1. Finish. The adversary outputs a guess b0_{∈ {0, 1}.}

The scheme E is KDM(n) _{secure if any polynomial time adversary A has negligible advantage:}

KDM(n)Adv[A] =¯¯Pr[b0= 1|b = 0] − Pr[b0 = 1|b = 1]¯¯ = negl(k) . We sometime denote KDM(n)_F to indicate the function class in discussion.

2.2 Leakage Resilient Encryption

In the scenario of key-leakage resiliency, we wish to model the case where some (adversarially selected restricted amount of) information about the secret key is revealed to the attacker. We require that even in the presence of this additional information, the security of the scheme remains intact. The definition below is essentially adopted from [NS09].

Let E = (G, E, D) be a public key encryption scheme with key-space S = {Sk} and message

space M = {M_k}. We define the λ-leakage game, for the non-negative parameter λ = λ(k), played

between a challenger and an adversary as follows.

Initialize. The challenger selects b ← {0, 1} and generates a key-pair (sk, pk)$ ← G(1$ k_{). The}

challenger sends pk to the adversary.

Leakage. The adversary sends an efficiently computable function f : S_k → {0, 1}λ _{to the}

chal-lenger. The challenger computes f (sk) and returns this value to the adversary.

Challenge. The adversary sends m0, m1 ∈ Mk to the challenger. The challenger computes

y ← E_pk(m_b) and sends y to the adversary.

Finish. The adversary outputs a guess b0_{∈ {0, 1}.}

The scheme E is λ-leakage secure if for any polynomial time adversary A it holds that Leak_λAdv[A] =¯¯Pr[b0= 1|b = 0] − Pr[b0 = 1|b = 1]¯¯ = negl(k) .

We note that the definition can be extended to the case of chosen ciphertext attacks (see [NS09]), in this work we only consider the case of chosen plaintext attacks described above.

2.3 Auxiliary-Input Resilient Encryption

The scenario of auxiliary-input resiliency is quite similar to that of key-leakage resiliency described in Section 2.2. As in the previous case, we model a scenario where the attacker can access additional information about the secret key. In this case, however, the restriction on the amount of information is computational rather than information theoretic. The definition is adopted (and slightly adapted) from [DGK+10].

Let E = (G, E, D) be a public key encryption scheme with secret-key space S = {Sk}, public key

space P = {P_k} and message space M = {M_k}. For any family of functions f = {f_k : S × P →

{0, 1}∗}, we define the inverting advantage and weak inverting advantage of an adversary A as

follows.

InvfAdv[A] = Pr

(sk,pk)←G(1k₎[A(1

k_{, f}

k(sk, pk)) = sk] ,

Invweak_f Adv[A] = Pr

(sk,pk)←G(1k₎[A(1

k_{, pk, f}

k(sk, pk)) = sk] .

The public parameters of the scheme are an additional implicit argument to both f and A (in both definitions). Let ` denote the length of the binary representation of the secret key. A polynomial time computable function f is ² = ²(`)-hard to invert (resp. ²-weakly hard to invert)6 _{if for any}

polynomial time A it holds that Inv_fAdv[A] ≤ ² (resp. Invweak

f Adv[A] ≤ ²). We stress that the

notion of “hard to invert functions” is weaker than the standard notion of one-way functions since we require the recovery of the original secret key (and not of just any pre-image). Thus a function that is not one-way can still be hard to invert.

For any efficiently computable function family f , we consider the f -auxiliary input game, played between a challenger and an adversary as follows.

Initialize. The challenger selects b ← {0, 1} and generates a key-pair (sk, pk)$ ← G(1$ k_{). The}

challenger sends pk to the adversary.

Auxiliary input. The challenger computes z ← fk(sk, pk) and sends z to the adversary.

Challenge. The adversary sends m₀, m₁ ∈ M_k to the challenger. The challenger computes

y ← Epk(mb) and sends y to the adversary.

Finish. The adversary outputs a guess b0_{∈ {0, 1}.}

The scheme E is ²-auxiliary input secure (Aux²-secure) if for any ²-uninvertible f and for any

polynomial time A it holds that

AuxfAdv[A] =

¯

¯Pr[b0_{= 1|b = 0] − Pr[b}0 _{= 1|b = 1]}¯_{¯ = negl(k) .}

E is ²-weakly auxiliary-input secure (Auxweak

² -secure) if the above holds for any ²-weakly uninvertible

function f .

2.4 Technical Tools

We use the following simple lemma.

Lemma 2.1. Let T, N ∈ N and let x← [T ], then x (mod N ) is (N/T )-uniform in Z$ N.

Proof. Define d = (T mod N ), then conditioned on the event x ∈ [T − d], it holds that (x mod N )

is uniform in ZN. Therefore (x mod N ) is (d/T ) ≤ (N/T )-uniform.

2.4.1 Simplified Leftover Hash Lemma and Applications

We use the following lemma which is an immediate corollary of the leftover hash lemma and explicitly appears in [BHHO08, Lemma 2].

Lemma 2.2. Let H be a 2-universal hash family from a set X to a set Y . Then the distribution (h, h(x)) where h← H, x$ ← X is$

q

|Y |

4|X|-uniform in H × Y .

We also require the following consequence.

Lemma 2.3. Let H be a 2-universal hash family from a set X to a set Y . Let f : X → Z be

some function. Then the distribution (h, h(x), f (x)) where h ← H, x$ ← X is$

q

|Y |·|Z|

4|X| -close to

(h, y, f (x)), for y← Y .$

Proof. For all z ∈ Z, denote Xz = {x ∈ X : f (x) = z} and pz = |Xz| / |X|. Then by Lemma 2.2,

(h, h(x), f (x)) conditioned on f (x) = z is q

|Y |

4|Xz|-close to (h, y, f (x)) conditioned on f (x) = z. Averaging over all z ∈ Z, we get that the distance between (h, h(x), f (x)) and (h, y, f (x)) is at most X z∈Z Ã pz· s |Y | 4 |Xz| ! = s |Y | 4 |X|· X z∈Z √ pz ≤ s |Y | |Z| 4 |X| . The result follows.

We often use a families of 2-universal hash functions of the form presented below.

Lemma 2.4. Let G be any finite commutative group and let ` ∈ N. Then the set of functions

H = {hg1,...,g` : {0, 1}` → G}g1,...,g`∈G where hg1,...,g`(x) = Q

i∈[`]gixi, is 2-universal.

Note that the group G needs not be cyclic.

Proof. Consider x 6= y and assume w.l.o.g that x1 6= y1. Then for g1, . . . , g` ← G it holds that$

gx1−y1₁ is uniformly distributed in G and the result follows.

2.4.2 The Goldreich-Levin Theorem

The Goldreich-Levin hard core predicate is stated in the following theorem.

Theorem 2.5 ([GL89]). Let f : {0, 1}n_{→ {0, 1}}∗ _{be any (possibly randomized) function and let A}

be such that ¯ ¯ ¯ Pr x,r←{0,1}$ n [A(f (x), r, hr, xi) = 1] − Pr x,r←{0,1}$ n_, u←{0,1}$ [A(f (x), r, u) = 1] ¯ ¯ ¯ ≥ ² ,

then there exists BA _{that runs in time poly(n, 1/²) such that}

3

Subgroup Indistinguishability Assumptions

We present the class of subgroup indistinguishability assumptions in Section 3.1 and then discuss instantiations under the QR and DCR assumptions in Section 3.2.

3.1 Definition of a Subgroup Indistinguishability (SG) Problem

Let G_U be a finite commutative multiplicative group, such that G_U is a direct product of two

groups: GU = GM × GL (interpreted as the “message group” and the “language group”), where

GM is cyclic of order M , GL is of order L (and is not necessarily cyclic) and GU is of order M · L

(we abuse notation and use M, L to index the groups and to denote their orders). We require that gcd(M, L) = 1. Let h be a generator for GM such that h is efficiently computable from the

description of GU. We require that there exists an efficient algorithm OPGU to perform group operations in G_U, and also that there exist efficient sampling algorithms S_GM, S_GL that sample a random element from GM, GL respectively. We further require that an upper bound T ≥ M · L is

known.

We stress that as always, all groups described above are in fact families of groups, indexed by the security parameter k. To be more precise, there exists a polynomial time randomized algorithm that given the security parameter 1k_{, outputs I}

GU = (OPGU, SGM, SGL, h, T ). We refer to IGU as

an instance of G_U.

For any adversary A we denote the subgroup distinguishing advantage of A by SGAdv[A] = ¯ ¯ ¯ Pr x←G$ U [A(1k, x)] − Pr x←G$ L [A(1k, x)] ¯ ¯ ¯ .

That is, the advantage A has in distinguishing between G_U and G_L. The subgroup

indistinguisha-bility (SG) assumption is that for any polynomial A it holds that for a properly sampled instance IGU, we have SGAdv[A] = negl(k) (note that in such case it must be that 1/L = negl(k)). In other words, thinking of GL⊆ GU as a language, the assumption is that this language is hard on average.

We define an additional flavor of the assumption by SG0Adv[A] = ¯ ¯ ¯ Pr x←G$ L [A(1k, h · x)] − Pr x←G$ L [A(1k, x)] ¯ ¯ ¯ .

It follows immediately that for any adversary A there exists an adversary B such that SG0Adv[A] ≤ 2 · SGAdv[B].

3.2 Instantiations

We instantiate the SG assumption based on the QR and DCR assumptions.

For both instantiations we consider a modulus N defined as follows. For security parameter k, we sample a random RSA number N ∈ N: this is a number of the form N = pq where p, q are random k-bit odd primes.

We note that our instantiations work even when the modulus N is such that QR_N is not cyclic.

3.2.1 Instantiation Under the QR Assumption with Any Blum Integer

Consider a modulus N as described above. We use JN to denote the set of elements in Z∗_N with

abusing notation JN, QRN also denote the respective groups with the multiplication operation

modulo N . The groups JN, QRN have orders ϕ(N )2 ,

ϕ(N )

4 respectively and we denote N0 =

ϕ(N )

4 .

We require that N is a Blum integer, namely that p, q = 3 (mod 4). In such case it holds that gcd(2, N0_{) = 1 and (−1) ∈ J}

N \ QRN.

The quadratic residuosity (QR) assumption is that for a properly generated N , the distribu-tions U (JN) and U (QRN) are computationally indistinguishable.7 This leads to the immediate

instantiation of the SG assumption by setting GU = JN, GM = {±1}, GL = QRN, h = (−1),

T = N ≥ 2N0_.

3.2.2 Instantiation Under the DCR Assumption

The decisional composite residuosity (DCR) assumption, introduced by Paillier [Pai99], states that for a properly generated RSA number N , it is hard to distinguish between a random element in Z∗

N2 and a random element in the subgroup of Nth-residues {xN : x ∈ Z∗_N2}. The group Z∗_N2 can

be written as a product of the group generated by 1 + N (which has order N ) and the group of Nth

residues (which has order ϕ(N )). This implies that setting GU = Z∗_N2, GL = {xN : x ∈ Z∗_N2} and

GM = {(1 + N )i: i ∈ [N ]} provides an instantiation of the SG assumption, setting h = (1 + N ) and

T = N2. It is left to check that indeed gcd(N, ϕ(N )) = 1. This follows since p, q are odd primes of equal length: assume w.l.o.g that p/2 < q < p, then the largest prime divisor of ϕ(N ) = (p−1)(q−1) has size at most (p − 1)/2 < p, q and the claim follows.8

4

Description of the Encryption Scheme

In the interest of clarity, we only present the QR-based scheme here. The general case is presented in Appendix B.1. The scheme E[`] is defined below.

Parameters. The scheme is parameterized by ` ∈ N which is polynomial in the security parameter. The exact value of ` is determined based on the specific properties we require from the scheme.

The message space of E[`] is M = {0, 1}, i.e. this is a bit-by-bit encryption scheme.

Key generation. The key generator first samples a Blum integer N . We note that the same value of N can be used by all users. Furthermore we stress that no entity needs to know the factorization of N . Therefore we often refer to N as a public parameter of the scheme and assume that it is implicitly known to all users.

The key generator also samples s ← {0, 1}$ ` _{and sets sk = s. It then samples g} $

← QR`<sub>N</sub> and sets g<sub>0</sub> = (Q<sub>i∈[`]</sub>gsi

i )−1. The public key is set to be pk = (g0, g) (with N as an additional implicit

public parameter).

Encryption. On inputs a public key pk = (g0, g) and a message m ∈ {0, 1}, the encryption

7_{The QR assumption usually refers to random RSA numbers, which are not necessarily Blum integers. However,}

since Blum integers have constant density among RSA numbers, the flavor we use is implied.

8_{If greater efficiency is desired, we can use a generalized form of the assumption, presented in [DJ01]. Let d ≥ 1}

be a parameter that is polynomial in the security parameter and consider the group GU= Z∗_Nd+1. Then GU can be

written as a product GU = GM × GLwhere GM is cyclic and has order M = Ndand generator h = (N + 1). The

group GLis the group {xN d

: x ∈ Z∗

Nd+1} which is isomorphic to Z∗N. Clearly gcd(Nd, ϕ(N )) = 1 and we can use the

bound T = Nd+1_{≥ N}d_{· ϕ(N ).}

It is proven in [DJ01] that under the DCR assumption, the subgroup indistinguishability problem defined by the above groups is hard for any polynomial d. Specifically, taking d = 1 gives Paillier’s original assumption.

algorithm runs as follows: it samples r ← [N$ 2_],9 _{and computes c = g}r _{and c}

0 = (−1)m· g0r. It

outputs a ciphertext (c0, c).

Decryption. On inputs a secret key sk = s and a ciphertext (c₀, c), the decryption algorithm

computes (−1)m _{= c}

0·

Q

i∈[`]csii and outputs m.

The completeness of the scheme follows immediately by definition.

5

The Interactive Vector Game

We define the interactive `-vector game played between a challenger and an adversary. We only present the QR-based game and refer the reader to the general definition in Appendix B.2.

Initialize. The challenger samples b ← {0, 1} and also generates a Blum integer N and a vector$

g← QR$ `_N. It sends N and g to the adversary.

Query. The adversary adaptively makes queries, where each query is a vector a ∈ {0, 1}`_{. For}

each query a, the challenger samples r← [N$ 2_{] and returns (−1)}a_{· g}r _{if b = 0 and g}r _{if b = 1.}

Finish. The adversary outputs a guess b0∈ {0, 1}.

The advantage of an adversary A in the game is defined to be IV`Adv[A] =

¯

¯Pr[b0_{= 1|b = 0] − Pr[b}0 _{= 1|b = 1]}¯_{¯ .}

Under the QR assumption, no poly(k)-time adversary (where k is the security parameter) can obtain a non-negligible advantage in the game, as formally stated below.

Lemma 5.1. Let A be an adversary for the interactive `-vector game that makes at most t queries,

then there exists an adversary B for QR such that

IV<sub>`</sub>Adv[A] ≤ 4t` · QRAdv[B] + 2t`/N .

Proof. A standard hybrid argument implies the existence of A1 which is an adversary for a 1-round

game (t = 1 in our notation) such that IV_{`</sub>Adv[A] ≤ t · IV<sub>`}Adv[A₁].

We consider a series of hybrids (experiments). For each hybrid Hi, we let Pr[Hi] denote the

probability that the experiment “succeeds” (an event we define below).

Hybrid H0. In this experiment, we flip a coin b ← {0, 1} and also sample i$ ← [`]. We simulate$

the 1-round game with A1 where the challenger answers a query a with (gr1, . . . , gi−1r , (−1)b·ai ·

gr

i, (−1)ai+1· gri+1, . . . , (−1)a`· gr`). The experiment succeeds if b0= b.

A standard argument shows that

IV`Adv[A1] 2` = ¯ ¯ ¯ ¯Pr[H0] − 1₂ ¯ ¯ ¯ ¯ .

Hybrid H1. In this hybrid we replace gi (which is a uniform square) with (−gi). We get that

there exists B such that |Pr[H1] − Pr[H0]| ≤ 2 · QRAdv[B].

9_{A more natural choice is to sample r} $

← [|JN|], but since |JN| = 2N0 = ϕ(N )₂ is hard to compute, we cannot

sample from this distribution directly. However, since r is used as an exponent of a group element, it is sufficient that (r mod 2N0_{) is uniform in Z}

2N0, and this is achieved by sampling r from a much larger domain.

We further remark that, as pointed out to us by Adi Shamir, we could alternatively use r $

← [(N − 1)/2], since U ([(N − 1)/2]) and U ([ϕ(N )/2]) are statistically indistinguishable.

We note that in this hybrid the adversary’s query is answered with (g₁r, . . . , gr_i−1, (−1)b·ai _· (−gi)r, (−1)ai+1· gri+1, . . . , (−1)a`· gr`).

Hybrid H2. In this hybrid the only change is that now r ← Z$ 2N0 (recall that N0 = ϕ(N )

4 ) rather

than U ([N2_{]). By Lemma 2.1 it follows that |Pr[H}

2] − Pr[H1]| ≤ 1/N . We note that while N0 is

not explicitly known to any entity, the argument here is statistical and there is no requirement that this hybrid is efficiently simulated.

We denote r1 = (r mod 2) and r2 = (r mod N0). Since N0 is odd, the Chinese Remainder

Theorem implies that r₁, r₂ are uniform in Z₂, Z_N0 respectively and are independent. The answer to the query in this scenario is therefore

(g₁r, . . . , gr_i−1, (−1)b·ai_{· (−g}

i)r, (−1)ai+1· gri+1, . . . , (−1)a`· gr`) =

(g₁r2, . . . , gr2_i−1, (−1)b·ai+r1 _{· g}r2

i , (−1)ai+1· gr2i+1, . . . , (−1)a`· g`r2) .

However since r1 is a uniform bit, the answer is independent of b. It follows that Pr[H2] = 1₂.

It follows that IV<sub>`</sub>Adv[A1] ≤ 4` · QRAdv[B] + 2`/N , and the result follows.

6

KDM Security

In this section, we discuss the KDM-security related properties of our scheme. We only discuss our QR-based encryption scheme in this section, in the interest of clarity. We prove the KDM(1) -security of E[`], for ` ≥ log N + ω(log k), in Section 6.1. Then, in Section 6.2, we state and prove that for ` ≥ n · log N + ω(log k), E[`] is also KDM(n)_{-secure. Finally, extensions beyond affine}

functions are stated without proof in Section 6.3.

A presentation and analysis of the general case, including all relevant proofs, is provided in Appendix B.3.

Throughout this section we define Faff to be the class of affine functions over Z2, namely the

class of all functions of the form fa0,a(x) = a0+

P

aixi, where ai, xi∈ Z2, and arithmetics are also

over Z2.

6.1 KDM(1)-Security

The intuition behind the KDM(1)-security of E[`] is as follows. Consider a public key (g0 =

Q

g−si

i , g) that corresponds to a secret key s, and a function fa0,a ∈ Faff. The encryption of

fa0,a(s) = (−1)a0+ P aisi _is (c₀, c) = ((−1)a0+Paisi_{· g}r 0, gr) = ((−1)a0 · Y ((−1)ai_{· g}r i)−si, gr) .

We notice that if s, a0, a are known, then c0 is completely determined by c = gr. Therefore, if we

replace gr _{with (−1)}a_{· g}r _{(an indistinguishable vector, even given the public key, by an interactive}

vector game), we see that (c₀, c) is indistinguishable from (c0

0, c0) = ((−1)a0 · gr0, (−1)a· gr), even

when the secret key and the message are known. Applying the same argument again, taking into account that g0 is close to uniform, implies that (c00, c0) is computationally indistinguishable from

(gr

Theorem 6.1. Let A be a KDM(1)_Faff-adversary for E[`] that makes at most t queries, then there exists an adversary B such that

KDM(1)_FaffAdv[A] ≤ 4t(2` + 1) · QRAdv[B] +√N · 2−`_{+ O(t`/N ) .}

The theorem implies that taking ` = log N + ω(log k) is sufficient to obtain KDM(1)_-security.

Proof. The proof proceeds by a series of hybrids.

Hybrid H₀. This hybrid is identical to the KDM(1) _{game with b = 0. By definition Pr}

H0[b0 = 1] =

Pr[b0 _{= 1|b = 0].}

Hybrid H1. In this hybrid, we change the way the challenger answers the adversary’s queries.

Recall that in hybrid H₀, the query f_a0,a ∈ F_aff was answered by (c₀, c) = ((−1)a0+Paisi · gr

0, gr).

In hybrid H1, it will be answered by (c0, c) = ((−1)a0 · gr0, (−1)a· gr).

We prove that ¯ ¯ ¯ ¯Pr_H1[b0 = 1] − Pr_H0[b0 = 1] ¯ ¯ ¯

¯ ≤ IV`Adv[A0] ≤ 4t` · QRAdv[B1] + O(t`/N ) ,

for some A0_{, B}

1, even when s is fixed and known.

To see this, we notice that in both hybrids c0 = (−1)a0·

Q

i∈[`]((−1)ai·c−1i )si and g0 =

Q

i∈[`]g−si i.

Therefore an adversary A0 _{for the interactive `-vector game can simulate A, sampling s on its own}

and using g to generate g₀ and “translate” the challenger answers. Applying Lemma 5.1, the result follows.

Hybrid H2. In this hybrid, we change the distribution of g0, which will now be sampled from

U (QR_N). By Lemma 2.4 combined with Lemma 2.2, (g0, g) is

q N0 2`+2 ≤ q N 2`+2-uniform. Thus ¯ ¯ ¯ ¯Pr_H2[b0 = 1] − Pr_H1[b0 = 1] ¯ ¯ ¯ ¯ ≤ r N 2`+2 .

Hybrid H3. In this hybrid, we again change the way the challenger answers queries. Now instead of

answering (c₀, c) = ((−1)a0_·gr

0, (−1)a·gr)), the challenger answers (c0, c) = (gr0, gr). The difference

between H2 and H3 is now a t-query interactive (` + 1)-vector game and thus by Lemma 5.1,

¯ ¯ ¯ ¯Pr_H3[b0 = 1] − Pr_H2[b0 = 1] ¯ ¯ ¯ ¯ ≤ 4t(` + 1) · QRAdv[B2] + O(t`/N ) , for some B₂.

Hybrid H4. We now revert the distribution of g0 back to the original

Q i∈[`]g−si i. Similarly to H2, we have <sub>¯</sub> ¯ ¯ ¯Pr<sub>H4</sub>[b0 = 1] − Pr<sub>H3</sub>[b0 = 1] ¯ ¯ ¯ ¯ ≤ r N 2`+2 .

However, hybrid H4 is identical to the KDM(1) game with b = 1, as all queries are answered

by encryptions of 0: Pr_H4[b0 _{= 1] = Pr[b}0 _{= 1|b = 1]. Summing the terms above, the result follows}

6.2 KDM(n)_-Security

A formal statement and proof for the QR case follows. For the statement and proof in the general case, see Appendix B.3.3.

Theorem 6.2. Let A be a KDM(n)_Faff-adversary for E[`] that makes at most t queries, then there exists an adversary B such that

KDM(n)_FaffAdv[A] ≤ 4nt(2` + 1) · QRAdv[B] + (N · 2−`/n)n/2+ O(nt`/N ) .

The theorem implies that taking ` = n · log N + ω(log k) is sufficient for KDM(n)-security.

Proof. Let us first introduce the notation used in the proof: We now consider functions in F_affthat are applied to a concatenated vector of n secret keys. We will denote such functions by fa0,a1,...,an, where a0∈ {0, 1} and ai∈ {0, 1}`, and such that for all x1, . . . , xn∈ {0, 1}` the function is defined

by

fa0,a1,...,an(x1, . . . , xn) = a0+ X

j∈[n],i∈[`]

aj,i· xj,i .

All arithmetic operations are over Z2.

The proof follows the outline of the proof of Theorem 6.1 with slight modifications to the hybrids.

Hybrid H0. This hybrid is identical to the KDM(n)game with b = 0. Let {ski = si}i∈[n]denote the

generated secret keys and {pk_i = (g_0,i, g_i)}_i∈[n]denote the public keys produced by the challenger. By definition PrH0[b0 = 1] = Pr[b0= 1|b = 0].

Hybrid H1. We change the way the challenger answers the adversary’s queries. For each query

((a₀, {a_j}_j∈[n]), i) made by A, the challenger does as follows.

Define yi,j = si⊕ sj (the binary XOR operation). Given {yi,j}i,j, the challenger finds (a00, a0)

such that f_a0

0,a0(si) = fa0,{aj}j∈[n](s1, . . . , sn). This is possible to do without knowing the values of the {si}, only {yi,j}: Consider the element sj,i0 (the i0th element of s_j). We know that s_j,i0 =

si,i0 ⊕ (y_i,j)_i0. Therefore we know that if (y_i,j)_i0 = 0 then s_j,i0 = s_i,i0 and if (y_i,j)_i0 = 1 then

sj,i0 = 1 − s_i,i0. We can thus replace the a_j,i0· s_j,i0 element in the description of the function f with either a_j,i0·s_i,i0 or a_j,i0·(1−s_i,i0), depending on the (known) value of (y_i,j)_i0. Doing this one variable at a time, results in an affine function of only si. We again stress that we only used {yi,j}i,j for

this transformation.

The challenger in this hybrid answers with (c0, c) = ((−1)a

0 0· gr 0,i, (−1)a 0 · gr i) instead of (c0, c) = ((−1)a00+ P j∈[`]a0j·si,j<sub>· g</sub>r 0,i, gri). It holds that ¯ ¯ ¯ ¯Pr<sub>H1</sub>[b0 = 1] − Pr<sub>H0</sub>[b0= 1] ¯ ¯ ¯ ¯ ≤ 4nt` · QRAdv[B1] + O(nt`/N ) ,

since, as in the proof of Theorem 6.1, the difference between the hybrids can be viewed as a t-round interactive (n`)-vector game, considering (g1, . . . , gn) as the first message, and now the simulated

adversary only needs a part of the answer for each query (the one that is respective to the user i for which the query was made).

Hybrid H2. Following the proof outline of Theorem 6.1, we change the distributions of g0,i for all